Docker Warns of Critical Flaw in Docker Engine
Docker has issued an urgent alert regarding a significant vulnerability affecting various versions of the Docker Engine. This flaw could allow attackers to bypass authorization plugins (AuthZ) under certain conditions, posing a serious security risk for users.
Labeled as CVE-2024-41110, this bypass and privilege escalation vulnerability has been assigned a severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), marking it as a critical threat. According to the Moby Project maintainers, attackers could exploit this flaw by sending an API request with a Content-Length header set to zero. This action might enable the Docker daemon to forward the request to the AuthZ plugin without an accompanying body, potentially leading to incorrect approval of the request.
Notably, Docker disclosed that this vulnerability stems from a regression originally identified in 2018, which was addressed in Docker Engine v18.09.1 in January 2019. However, this solution did not carry over into subsequent versions, including those released from v19.03 onward.
The vulnerability has been rectified in Docker Engine versions 23.0.14 and 27.1.0 as of July 23, 2024, following its identification earlier in April. Users should be aware that any Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0 are at risk, provided that AuthZ plugins are employed for access control decisions.
Gabriela Georgieva from Docker emphasized that users relying on Docker Engine v19.03.x and higher without resorting to authorization plugins are not at risk. Likewise, all versions of Mirantis Container Runtime are unaffected. Docker’s commercial products and internal infrastructures that do not utilize AuthZ plugins are also safe from potential exploitation.
However, Docker Desktop users are cautioned as the issue extends up to version 4.32.0. While the probability of exploitation remains limited—requiring local access to the Docker API—the company anticipates releasing a fix in version 4.33. It is worth noting that the default Docker Desktop configuration does not incorporate AuthZ plugins, limiting the scope of privilege escalation to the Docker Desktop virtual machine rather than the underlying host.
Although Docker has not reported any incidents of CVE-2024-41110 being actively exploited in the wild, it is crucial for users to update their installations to the latest versions to reduce the risk of security breaches. Earlier this year, the company had also focused on addressing several vulnerabilities collectively referred to as "Leaky Vessels," which could allow unauthorized access to the host filesystem and facilitate container breakouts.
With the growing adoption of cloud services and container technologies, experts warn of the inherent risks these systems carry. A recent report by Palo Alto Networks’ Unit 42 highlighted that while containers offer numerous benefits, they are also vulnerable to attack techniques such as container escapes due to their shared kernel architecture and incomplete isolation from host user modes.
In summary, business owners and IT professionals should prioritize upgrading their Docker installations to safeguard against this critical vulnerability and stay informed about emerging cybersecurity threats as part of their risk management strategies.
